Why malicious domain registrations are a growing problem [Q&A]

More than 16,000 COVID-19 related domains have been registered since January and while some are legitimate many have been set up to serve malware, create phishing pages, or scam site visitors.

And malicious domains aren't just a problem during the current pandemic, they're a growing issue across the internet. This is not helped by privacy rules which mean it's become harder for security researchers to use Whois to see who owns a domain.

We spoke to Patrick Martin, head of threat intelligence at cybersecurity firm Skurio to find out more about the problem and what ISPs can do to combat it.

BN: How big is the problem of malicious domains?

PM: For me as a professional it's a daily problem that I experience all the time. Probably the most significant one for me in recent months was travel firm Thomas Cook. Following the notice that they were closing down we were seeing somewhere between seven and 10 domains registered per day relating to the collapse.

We were looking at those, we were taking a tally of them as they came online, looking at who was registering them, whether there's a website or not, whether there was an MX (Mail Exchange) record or not, which would have indicated that it can be a phishing campaign or malicious. And then we have to come up with a risk matrix for those domains and decide which ones are potentially malicious.

BN: What can ISPs do to step up their efforts to protect customers?

PM: When you put a site online for anything you obviously have to provide a lot of information to the ISP. I would expect that ISP to show some level of diligence on that information they're receiving, at least through some form of verification or checking.

In some of these cases you can physically go online, pay a couple of dollars to register a domain, get access to that and potentially put a website up within minutes of registering. That's obviously something that’s going to be abused.

Some services that provide anonymous email implement a cooling off period so once you sign up for one of their email addresses, you can't actually use it for 14 hours. That's a good thing because if an attacker wants to do something off the cuff they can't just go and create an account with that company, and then use it for malicious purposes. There's no reason why ISPs couldn't do something similar with new domains.

Also with big well known brand names like Coca Cola, IBM or Cisco, if a nondescript individual comes along to register one of these domains and manages to successfully do so then I think that is worthy of note, and ISPs should they be able to challenge that. They could do an email verification or request some form of ID for example.

BN: How easy is it to get malicious domains taken down?

PM: Some ISPs are better than others at communication with the likes of myself, or investigators in the private sector. Investigators are brand protectors trying to get content taken down dealing with the policy of the ISP and conversing with law enforcement. Often though some form of paperwork is still required identifying what the issue is with the site, and why it needs to be taken down all of which takes time.

At the end of the day the ISPs are facility businesses and individuals and small businesses are entrusted to set up sites, but they do not get the problems that I see. The problem will get worse with the extra layers of top level domains (TLDs) opening up.

BN: Is GDPR and other privacy legislation proving problematic?

PM: It's not so bad for pre-existing pre-2018 domains, because we can see that information and have access to it, but certainly for anything post 2018 the information is redacted. Law enforcement can put in a request to the ISP to get that but it's more difficult for security researchers.

I see that the ISPs are the ones that have a lot of information, and they should be becoming more proactive. They've got the email address, got the IP address, got the payment information that was used to pay for the registration and, as you know, nearly every form of payment is traceable. So, in my view, any person who registers domain is also traceable based on that fact.

Some ISPs are harder to communicate with, some could do much better portals on their sites or offer a clear indication of where to go to report a problem. At the moment often I end up having to email two or three addresses that I have to go into blind and then see what comes back.

BN: Do you think there's a role for artificial intelligence to spot these when they're registered or before they're registered?

PM: Either artificial intelligence or even just an algorithm. We and others tend to use algorithms to tackle this but even as smart as they are we still see the odd ones slipping through the net, which is a human thing if you have seen the difference you can spot it, but sometimes you just miss it. Just moving letters around or missing letters out or doubling them up can fool the naked eye, it still looks like a name when obviously it's not.

BN: On a wider point, what are some of the other major issues we're seeing get exploited at the moment?

PM: For me personally, I see the biggest thing on a weekly basis is leaky buckets or insecure containers. Companies have the controls but either aren't activating them or aren't using them correctly. The other one is credential stuffing where IDs and passwords stolen in breaches is tried against multiple sites. Some of this data has a long shelf life, with data going back to 2012.

Photo Credit: Scanrail1 / Shutterstock